Klaus Jochem

The neverending local administrative rights story

Last week I discussed IT security related topics with the computational biology systems group. It’s hard to believe, but most of the scientist work with Linux, most of the time with a bare bash (Bourne-again shell).

What surprised me was that no scientist works with permanent super user rights. Everyone works with a standard user account, but has the option to switch context with SUDO if necessary. Very impressive!

‘Way of working’ is an essential part of every security strategy. Sometimes large security gains could be achieved with small changes to the way of working, at a fraction of the cost of technology based measures.

With Windows users I have endless discussions about the pros and cons of working with permanent administrative rights. There are good reasons for working this way, but as a result, we create a security hole from the size of a barn door that may compromise all other security measures.

‘An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.’

Bingo!

Waiving permanent administrative rights must not have serious disadvantages for user productivity. Microsoft implemented a technology similar to SUOD with Windows Vista.

Windows User Account Control (UAC) allows standard users to execute functions where administrative rights are required. If this is the case, UAC prompts for administrative privileges before executing the command.

The solution in just 3 steps:

Communicate the new policy and new way of working to users with local admin rights

Create a local account Useridloc and add account Useridloc to local administrators group

Remove account Userid from the local administrators Group

When UAC requests administrative privileges the user inputs the credentials of Useridloc.

Please note: Since users can re-assign themselves to the local administrators group please audit compliance with the policy.

By the way, if Useridloc is used with runas (the windows command for SUDO), commands could be executed directly with administrative rights.